Security Automation May 26th, 2010

Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error prone – Difficult to scale Inefficient – Resources spent on “security hygiene” Vulnerability management Configuration management Patch management Compliance management 2 Web Sites Guidance Documents Assessment Tools Management Tools Alerts & Advisories Reporting Tools

Security Automation: the solution Standardization: – Same Object, Same Name – Reporting Automation: – Efficiency – Accuracy – Resources re-tasked to harder problems: Incident response Infrastructure enhancement 3 Web Sites Assessment Tools Management Tools Alerts & Advisories Reporting Tools Guidance Documents

What are we achieving with Security Automation? Minimize Effort Reducing the time and effort of manual assessment and remediation Providing a more comprehensive assessment of system state Increase Standardization and Interoperability Enabling fast and accurate correlation within the enterprise and across organizations/agencies; Reporting Shortening decision cycles by rapidly communicating: Requirements (What/How to check) Results (What was found) Allowing diverse tool suites and repositories to share data Fostering shared situational awareness by enabling and facilitating data sharing, analysis, and aggregation

What are we achieving with Security Automation and Standardization? Standard data, economy of scale, and reuse Standardized security content can be developed once and used by many Common definitions for vulnerabilities, software, and policy statements Speed Rapidly identify vulnerabilities and improperly configured systems and communicate the degree of associated risk Zero day malware detection

Security Content Automation Protocol (SCAP) SCAP is a suite of specifications that together enable standardization and automation of vulnerability management, measurement, and technical policy compliance checking along with enhanced product and database integration capabilities with machine readable reporting. In other words, “the plumbing”

Security Content Automation Protocol (SCAP) Community developed Machine readable XML Reporting Representing security checklists Detecting machine state – Community developed – Product names – Vulnerabilities – Configuration settings Languages Means of providing instructions Enumerations Convention for identifying and naming Metrics Risk scoring framework Community developed Transparent Metrics Base Temporal Environmental

Business Systems Vulnerability Checks Infrastructure FixesAssetsEvent LanguagePatterns Sharable Policy System Characteristics Standard Names & Reference Conventions ControlsPolicy Reporting Layer and Data Interface WeaknessesThreats Lessons Learned Attack Patterns Technical Alerts & Signatures Bulletins and Advisories Situational Awareness Continuous Monitoring Automated Compliance Mgmt Notional Security Data Model

Reportable IT Systems OVALOCIL Inventoried, Trusted Connections OVRLAssetsEvent LanguagePatterns XCCDF System Characteristics ControlsPolicy Reporting Layer and Data Interface (TBD, e.g. XBRL, etc) TBDSignatures CAPEC Technical Bulletins Bulletins and Advisories Situational Awareness Continuous Monitoring Automated Compliance Mgmt TBD CRE CEE CERE CCECVECRETBD CCICCSSCPETBD Specifications-Based Security Automation

Security Automation Partners and Resources

Partners US Government – National Institute of Standards and Technology (NIST) – National Security Agency (NSA) – Department of Homeland Security (DHS) – Defense Information Systems Agency (DISA) Foreign Government – Japan - JVN/IPA - Japan Vulnerability Notes / Information Technology Promotion Agency – Spain – INTECO - Instituto Nacional de Tecnologías de la Comunicación Private Sector – Apple, Microsoft, Red Hat, Sun Microsystems – Security product vendors

National Vulnerability Database NVD is the U.S. government repository of public vulnerability management information. Provides standardized reference for software vulnerabilities. Over 39,000 CVE entries with the NVD Analysis Team evaluating over 6,000 vulnerabilities a year Product dictionary containing 18,000 unique product names Used by government, industry and academia Machine-readable data feeds Spanish and Japanese language translation

National Checklist Program U.S. Government repository of publicly available security checklists Eases compliance management Checklists cover 178 products SCAP content Checklist contributors include Government organizations Vendors Non-profit organizations Part 39 of the Federal Acquisition Regulation (FAR)

Content Tools eSCAPe Creation of new and/or customized configuration policies Puts the power of SCAP into the hands of existing staff; reduces cost/barrier of entry Government wide, department level, or agency specific Quickly generate specific assessment criteria for vulnerabilities or presence of malware Pushed out to SCAP enabled products Content Validation Ensures all content published to NCP is formatted correctly

SCAP Validation Program Provides product conformance testing for Security Content Automation Protocol (SCAP) National Voluntary Laboratory Accreditation Program – Independent testing laboratories – Reports validated by NIST (Validation Program) (Validated Products)

NIST SCAP Product Validation Program

Looking Ahead Remediation capabilities – Rapidly deploy corrective action Shutting down services, locking out accounts, etc… Network Event Management – Event Management Automation Protocol (EMAP)

Conclusion Security Automation: Improves efficiency Promotes interoperability of data and security tools Enables standardized reporting across multiple views Provides enhanced situational awareness